From aa7ea9c605458b98eefd7f78a6a933c494e976f5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 Oct 2020 09:38:44 +0200 Subject: [PATCH] 5.4-stable patches added patches: drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch usermodehelper-reset-umask-to-default-before-executing-user-process.patch vhost-don-t-call-access_ok-when-using-iotlb.patch vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch --- ...ainst-null-pointer-access-in-mem_del.patch | 34 ++++++++++ ...-of-bounds-access-in-nl80211_del_key.patch | 42 ++++++++++++ queue-5.4/series | 5 ++ ...efault-before-executing-user-process.patch | 64 +++++++++++++++++++ ...on-t-call-access_ok-when-using-iotlb.patch | 58 +++++++++++++++++ ...et_used_size-in-vhost_vring_set_addr.patch | 36 +++++++++++ 6 files changed, 239 insertions(+) create mode 100644 queue-5.4/drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch create mode 100644 queue-5.4/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch create mode 100644 queue-5.4/usermodehelper-reset-umask-to-default-before-executing-user-process.patch create mode 100644 queue-5.4/vhost-don-t-call-access_ok-when-using-iotlb.patch create mode 100644 queue-5.4/vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch diff --git a/queue-5.4/drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch b/queue-5.4/drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch new file mode 100644 index 00000000000..58422cfb64e --- /dev/null +++ b/queue-5.4/drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch @@ -0,0 +1,34 @@ +From d10285a25e29f13353bbf7760be8980048c1ef2f Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Wed, 7 Oct 2020 00:05:28 +0200 +Subject: drm/nouveau/mem: guard against NULL pointer access in mem_del + +From: Karol Herbst + +commit d10285a25e29f13353bbf7760be8980048c1ef2f upstream. + +other drivers seems to do something similar + +Signed-off-by: Karol Herbst +Cc: dri-devel +Cc: Dave Airlie +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20201006220528.13925-2-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_mem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_mem.c +@@ -176,6 +176,8 @@ void + nouveau_mem_del(struct ttm_mem_reg *reg) + { + struct nouveau_mem *mem = nouveau_mem(reg); ++ if (!mem) ++ return; + nouveau_mem_fini(mem); + kfree(reg->mm_node); + reg->mm_node = NULL; diff --git a/queue-5.4/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch b/queue-5.4/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch new file mode 100644 index 00000000000..69bfea1c33c --- /dev/null +++ b/queue-5.4/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch @@ -0,0 +1,42 @@ +From 3dc289f8f139997f4e9d3cfccf8738f20d23e47b Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Wed, 7 Oct 2020 09:24:01 +0530 +Subject: net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() + +From: Anant Thazhemadam + +commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream. + +In nl80211_parse_key(), key.idx is first initialized as -1. +If this value of key.idx remains unmodified and gets returned, and +nl80211_key_allowed() also returns 0, then rdev_del_key() gets called +with key.idx = -1. +This causes an out-of-bounds array access. + +Handle this issue by checking if the value of key.idx after +nl80211_parse_key() is called and return -EINVAL if key.idx < 0. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com +Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3975,6 +3975,9 @@ static int nl80211_del_key(struct sk_buf + if (err) + return err; + ++ if (key.idx < 0) ++ return -EINVAL; ++ + if (info->attrs[NL80211_ATTR_MAC]) + mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]); + diff --git a/queue-5.4/series b/queue-5.4/series index b3cdf024128..d282fd56754 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,8 @@ io_uring-fix-resource-leaking-when-kill-the-process.patch io_uring-fix-missing-smp_mb-in-io_cancel_async_work.patch io_uring-fix-remove-irrelevant-req-from-the-task_list.patch io_uring-fix-double-list-add-in-io_queue_async_work.patch +net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch +drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch +vhost-don-t-call-access_ok-when-using-iotlb.patch +vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch +usermodehelper-reset-umask-to-default-before-executing-user-process.patch diff --git a/queue-5.4/usermodehelper-reset-umask-to-default-before-executing-user-process.patch b/queue-5.4/usermodehelper-reset-umask-to-default-before-executing-user-process.patch new file mode 100644 index 00000000000..eb7dec57a46 --- /dev/null +++ b/queue-5.4/usermodehelper-reset-umask-to-default-before-executing-user-process.patch @@ -0,0 +1,64 @@ +From 4013c1496c49615d90d36b9d513eee8e369778e9 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Oct 2020 10:56:22 -0700 +Subject: usermodehelper: reset umask to default before executing user process + +From: Linus Torvalds + +commit 4013c1496c49615d90d36b9d513eee8e369778e9 upstream. + +Kernel threads intentionally do CLONE_FS in order to follow any changes +that 'init' does to set up the root directory (or cwd). + +It is admittedly a bit odd, but it avoids the situation where 'init' +does some extensive setup to initialize the system environment, and then +we execute a usermode helper program, and it uses the original FS setup +from boot time that may be very limited and incomplete. + +[ Both Al Viro and Eric Biederman point out that 'pivot_root()' will + follow the root regardless, since it fixes up other users of root (see + chroot_fs_refs() for details), but overmounting root and doing a + chroot() would not. ] + +However, Vegard Nossum noticed that the CLONE_FS not only means that we +follow the root and current working directories, it also means we share +umask with whatever init changed it to. That wasn't intentional. + +Just reset umask to the original default (0022) before actually starting +the usermode helper program. + +Reported-by: Vegard Nossum +Cc: Al Viro +Acked-by: Eric W. Biederman +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/umh.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -76,6 +77,14 @@ static int call_usermodehelper_exec_asyn + spin_unlock_irq(¤t->sighand->siglock); + + /* ++ * Initial kernel threads share ther FS with init, in order to ++ * get the init root directory. But we've now created a new ++ * thread that is going to execve a user process and has its own ++ * 'struct fs_struct'. Reset umask to the default. ++ */ ++ current->fs->umask = 0022; ++ ++ /* + * Our parent (unbound workqueue) runs with elevated scheduling + * priority. Avoid propagating that into the userspace child. + */ diff --git a/queue-5.4/vhost-don-t-call-access_ok-when-using-iotlb.patch b/queue-5.4/vhost-don-t-call-access_ok-when-using-iotlb.patch new file mode 100644 index 00000000000..95aea6aa34e --- /dev/null +++ b/queue-5.4/vhost-don-t-call-access_ok-when-using-iotlb.patch @@ -0,0 +1,58 @@ +From 0210a8db2aeca393fb3067e234967877e3146266 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Sat, 3 Oct 2020 12:01:52 +0200 +Subject: vhost: Don't call access_ok() when using IOTLB + +From: Greg Kurz + +commit 0210a8db2aeca393fb3067e234967877e3146266 upstream. + +When the IOTLB device is enabled, the vring addresses we get +from userspace are GIOVAs. It is thus wrong to pass them down +to access_ok() which only takes HVAs. + +Access validation is done at prefetch time with IOTLB. Teach +vq_access_ok() about that by moving the (vq->iotlb) check +from vhost_vq_access_ok() to vq_access_ok(). This prevents +vhost_vring_set_addr() to fail when verifying the accesses. +No behavior change for vhost_vq_access_ok(). + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1883084 +Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API") +Cc: jasowang@redhat.com +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Greg Kurz +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/160171931213.284610.2052489816407219136.stgit@bahia.lan +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/vhost.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1299,6 +1299,11 @@ static bool vq_access_ok(struct vhost_vi + struct vring_used __user *used) + + { ++ /* If an IOTLB device is present, the vring addresses are ++ * GIOVAs. Access validation occurs at prefetch time. */ ++ if (vq->iotlb) ++ return true; ++ + return access_ok(desc, vhost_get_desc_size(vq, num)) && + access_ok(avail, vhost_get_avail_size(vq, num)) && + access_ok(used, vhost_get_used_size(vq, num)); +@@ -1394,10 +1399,6 @@ bool vhost_vq_access_ok(struct vhost_vir + if (!vq_log_access_ok(vq, vq->log_base)) + return false; + +- /* Access validation occurs at prefetch time with IOTLB */ +- if (vq->iotlb) +- return true; +- + return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used); + } + EXPORT_SYMBOL_GPL(vhost_vq_access_ok); diff --git a/queue-5.4/vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch b/queue-5.4/vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch new file mode 100644 index 00000000000..fb9da908a34 --- /dev/null +++ b/queue-5.4/vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch @@ -0,0 +1,36 @@ +From 71878fa46c7e3b40fa7b3f1b6e4ba3f92f1ac359 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Sat, 3 Oct 2020 12:02:03 +0200 +Subject: vhost: Use vhost_get_used_size() in vhost_vring_set_addr() + +From: Greg Kurz + +commit 71878fa46c7e3b40fa7b3f1b6e4ba3f92f1ac359 upstream. + +The open-coded computation of the used size doesn't take the event +into account when the VIRTIO_RING_F_EVENT_IDX feature is present. +Fix that by using vhost_get_used_size(). + +Fixes: 8ea8cf89e19a ("vhost: support event index") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kurz +Link: https://lore.kernel.org/r/160171932300.284610.11846106312938909461.stgit@bahia.lan +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/vhost.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1545,8 +1545,7 @@ static long vhost_vring_set_addr(struct + /* Also validate log access for used ring if enabled. */ + if ((a.flags & (0x1 << VHOST_VRING_F_LOG)) && + !log_access_ok(vq->log_base, a.log_guest_addr, +- sizeof *vq->used + +- vq->num * sizeof *vq->used->ring)) ++ vhost_get_used_size(vq, vq->num))) + return -EINVAL; + } + -- 2.47.3